Crate ppoppo_token 

Structs

Claims

IssueConfig

IssueRequest

Jwk

A single JWK entry. Pinned to the OKP/Ed25519/EdDSA shape — other kty values (EC, RSA, oct) deserialize but ed25519_bytes() returns None so the engine never accidentally accepts a non-Ed25519 key.

Jwks

JSON Web Key Set — collection of trusted public keys per RFC 7517 §5.

KeySet

SigningKey

VerifyConfig

Enums

Algorithm

Sealed JWS signature algorithm whitelist (Phase 7 §6.8 — structural M51/M52/M54).

AuthError

EpochRevocationError

IssueError

JwksError

JWKS-side errors surfaced to consumers of into_key_set.

ReplayDefenseError

Failure modes from a ReplayDefense substrate call.

SessionRevocationError

Constants

DEFAULT_ISSUER

SV_CACHE_TTL

TTL for the sv:{ppnum_id} cache entry shared between PAS (writer) and PCS / external SDK consumers (readers). Bounds the post-break-glass staleness window when the writer cannot preemptively invalidate.

Traits

EpochRevocation

Current per-account session_version lookup.

ReplayDefense

Atomic check-and-record over a per-token uniqueness key.

SessionRevocation

Per-session liveness check.

Functions

ed25519_public_from_pem

Derive the 32-byte Ed25519 public key from a PKCS8-encoded private PEM. Used by PAS at boot to populate /.well-known/jwks.json from the same key material that produces issuance signatures, so issuer and publisher cannot drift.

issue

Issue a signed Compact JWS for the given request + config + key.

sv_cache_key

Build the shared cache key for a given Human ppnum’s session_version.

verify

Verify a JWS Compact-serialized token against the configured policy.